Discovered: February 27, 2004
Updated: March 30, 2004 4:34:35 PM
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
Trojan.Ibiza is a trojan program that is typically installed when a user visits a malicious website. The trojan exploits the Microsoft Internet Explorer MT-ITS Protocol Zone Bypass Vulnerability (BID 9658) in order to install itself on vulnerable systems.
When a malicious website hosting the trojan is visited by a user, the file chm.chm is downloaded to the system. This file is a compiled HTML help file containing the files launch.htm and mstasks.exe. The launch.htm file contains the following exploit string which will execute mstasks.exe on the system:
<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111123' CODEBASE='mstasks.exe'>
When the mstasks.exe file is executed, it creates the following files:
%Windir%\msrt32.dll - keylogger
%Windir%\svchost.exe - periodically emails keylogs to remote attacker
%Windir%\syinis.ini - log file
%System%\svchosts.exe - periodically emails keylogs to remote attacker
%System%\winrr.exe - WinRAR utility
%System%\wmsro32.dll - keylogger
The trojan also creates the following folder:
%System%\ifgar
Various log files are created by the trojan with the extensions .txt, .bmp, and .rar.
The following registry entry is then created so that the trojan executes every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Online Service = %Windir%\svchost.exe
Additionally, the following registry key is created:
HKEY_LOCAL_MACHINE\Software\Microsoft\Mvtr
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine